#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <rpc/types.h>
#include <rpc/xdr.h>
#include <rpc/auth.h>
#include <rpc/auth_gss.h>
#include <rpc/clnt.h>
#include <netinet/in.h>
#include <gssapi/gssapi.h>

Include dependency graph for auth_gss.c:

Classes
struct	gss_union_ctx_id_t

struct	rpc_gss_data

Macros
#define	AUTH_PRIVATE(auth) ((struct rpc_gss_data *)auth->ah_private)

Typedefs
typedef struct gss_union_ctx_id_t	gss_union_ctx_id_desc

typedef struct gss_union_ctx_id_t *	gss_union_ctx_id_t

Functions
static void	authgss_nextverf ()

static bool_t	authgss_marshal ()

static bool_t	authgss_refresh ()

static bool_t	authgss_validate ()

static void	authgss_destroy ()

static void	authgss_destroy_context ()

static bool_t	authgss_wrap ()

static bool_t	authgss_unwrap ()

AUTH *	authgss_create (CLIENT clnt, gss_name_t name, struct rpc_gss_sec sec)

AUTH *	authgss_create_default (CLIENT clnt, char service, struct rpc_gss_sec *sec)

bool_t	authgss_get_private_data (AUTH auth, struct authgss_private_data pd)

static void	authgss_nextverf (AUTH *auth)

static bool_t	authgss_marshal (AUTH auth, XDR xdrs)

static bool_t	authgss_validate (AUTH auth, struct opaque_auth verf)

static bool_t	authgss_refresh (AUTH *auth)

bool_t	authgss_service (AUTH *auth, int svc)

static void	authgss_destroy_context (AUTH *auth)

static void	authgss_destroy (AUTH *auth)

bool_t	authgss_wrap (AUTH auth, XDR xdrs, xdrproc_t xdr_func, caddr_t xdr_ptr)

bool_t	authgss_unwrap (AUTH auth, XDR xdrs, xdrproc_t xdr_func, caddr_t xdr_ptr)

Variables
static struct auth_ops	authgss_ops

static struct timeval	AUTH_TIMEOUT = { 25, 0 }

Macro Definition Documentation

◆ AUTH_PRIVATE

#define AUTH_PRIVATE ( auth ) ((struct rpc_gss_data *)auth->ah_private)

Definition at line 143 of file auth_gss.c.

Typedef Documentation

◆ gss_union_ctx_id_desc

typedef struct gss_union_ctx_id_t gss_union_ctx_id_desc

◆ gss_union_ctx_id_t

typedef struct gss_union_ctx_id_t * gss_union_ctx_id_t

Function Documentation

◆ authgss_create()

AUTH* authgss_create	(	CLIENT *	clnt,
		gss_name_t	name,
		struct rpc_gss_sec *	sec
	)

Definition at line 148 of file auth_gss.c.

 {
     AUTH            *auth, *save_auth;
     struct rpc_gss_data *gd;
     OM_uint32       min_stat = 0;
 
     log_debug("in authgss_create()");
 
     memset(&rpc_createerr, 0, sizeof(rpc_createerr));
 
     if ((auth = calloc(sizeof(*auth), 1)) == NULL) {
         rpc_createerr.cf_stat = RPC_SYSTEMERROR;
         rpc_createerr.cf_error.re_errno = ENOMEM;
         return (NULL);
     }
     if ((gd = calloc(sizeof(*gd), 1)) == NULL) {
         rpc_createerr.cf_stat = RPC_SYSTEMERROR;
         rpc_createerr.cf_error.re_errno = ENOMEM;
         free(auth);
         return (NULL);
     }
 #ifdef DEBUG
     fprintf(stderr, "authgss_create: name is %p\n", name);
 #endif
     if (name != GSS_C_NO_NAME) {
         if (gss_duplicate_name(&min_stat, name, &gd->name)
                         != GSS_S_COMPLETE) {
             rpc_createerr.cf_stat = RPC_SYSTEMERROR;
             rpc_createerr.cf_error.re_errno = ENOMEM;
             free(auth);
             return (NULL);
         }
     }
     else
         gd->name = name;
 
 #ifdef DEBUG
     fprintf(stderr, "authgss_create: gd->name is %p\n", gd->name);
 #endif
     gd->clnt = clnt;
     gd->ctx = GSS_C_NO_CONTEXT;
     gd->sec = *sec;
 
     gd->gc.gc_v = RPCSEC_GSS_VERSION;
     gd->gc.gc_proc = RPCSEC_GSS_INIT;
     gd->gc.gc_svc = gd->sec.svc;
 
     auth->ah_ops = &authgss_ops;
     auth->ah_private = (caddr_t)gd;
 
     save_auth = clnt->cl_auth;
     clnt->cl_auth = auth;
 
     if (!authgss_refresh(auth))
         auth = NULL;
 
     clnt->cl_auth = save_auth;
 
     return (auth);
 }

Referenced by authgss_create_default().

◆ authgss_create_default()

AUTH* authgss_create_default	(	CLIENT *	clnt,
		char *	service,
		struct rpc_gss_sec *	sec
	)

Definition at line 210 of file auth_gss.c.

 {
     AUTH            *auth;
     OM_uint32        maj_stat = 0, min_stat = 0;
     gss_buffer_desc      sname;
     gss_name_t       name = GSS_C_NO_NAME;
 
     log_debug("in authgss_create_default()");
 
 
     sname.value = service;
     sname.length = strlen(service);
 
     maj_stat = gss_import_name(&min_stat, &sname,
         (gss_OID)GSS_C_NT_HOSTBASED_SERVICE,
         &name);
 
     if (maj_stat != GSS_S_COMPLETE) {
         log_status("gss_import_name", maj_stat, min_stat);
         rpc_createerr.cf_stat = RPC_AUTHERROR;
         return (NULL);
     }
 
     auth = authgss_create(clnt, name, sec);
 
     if (name != GSS_C_NO_NAME) {
 #ifdef DEBUG
     fprintf(stderr, "authgss_create_default: freeing name %p\n", name);
 #endif
         gss_release_name(&min_stat, &name);
     }
 
     return (auth);
 }

◆ authgss_destroy() [1/2]

static void authgss_destroy ( )

static

Referenced by authgss_refresh().

◆ authgss_destroy() [2/2]

static void authgss_destroy ( AUTH * auth )

static

Definition at line 580 of file auth_gss.c.

 {
     struct rpc_gss_data *gd;
     OM_uint32        min_stat;
 
     log_debug("in authgss_destroy()");
 
     gd = AUTH_PRIVATE(auth);
 
     authgss_destroy_context(auth);
 
 #ifdef DEBUG
     fprintf(stderr, "authgss_destroy: freeing name %p\n", gd->name);
 #endif
     if (gd->name != GSS_C_NO_NAME)
         gss_release_name(&min_stat, &gd->name);
 
     free(gd);
     free(auth);
 }

◆ authgss_destroy_context() [1/2]

static void authgss_destroy_context ( )

static

Referenced by authgss_destroy(), authgss_marshal(), authgss_refresh(), and authgss_validate().

◆ authgss_destroy_context() [2/2]

static void authgss_destroy_context ( AUTH * auth )

static

Definition at line 547 of file auth_gss.c.

 {
     struct rpc_gss_data *gd;
     OM_uint32        min_stat;
 
     log_debug("in authgss_destroy_context()");
 
     gd = AUTH_PRIVATE(auth);
 
     if (gd->gc.gc_ctx.length != 0) {
         if (gd->established) {
             gd->gc.gc_proc = RPCSEC_GSS_DESTROY;
             clnt_call(gd->clnt, NULLPROC, (xdrproc_t)xdr_void, NULL,
                   (xdrproc_t)xdr_void, NULL, AUTH_TIMEOUT);
         }
         gss_release_buffer(&min_stat, &gd->gc.gc_ctx);
         /* XXX ANDROS check size of context  - should be 8 */
         memset(&gd->gc.gc_ctx, 0, sizeof(gd->gc.gc_ctx));
     }
     if (gd->ctx != GSS_C_NO_CONTEXT) {
         gss_delete_sec_context(&min_stat, &gd->ctx, NULL);
         gd->ctx = GSS_C_NO_CONTEXT;
     }
 
     /* free saved wire verifier (if any) */
     mem_free(gd->gc_wire_verf.value, gd->gc_wire_verf.length);
     gd->gc_wire_verf.value = NULL;
     gd->gc_wire_verf.length = 0;
 
     gd->established = FALSE;
 }

◆ authgss_get_private_data()

bool_t authgss_get_private_data	(	AUTH *	auth,
		struct authgss_private_data *	pd
	)

Definition at line 246 of file auth_gss.c.

 {
     struct rpc_gss_data *gd;
 
     log_debug("in authgss_get_private_data()");
 
     if (!auth || !pd)
         return (FALSE);
 
     gd = AUTH_PRIVATE(auth);
 
     if (!gd || !gd->established)
         return (FALSE);
 
     pd->pd_ctx = gd->ctx;
     pd->pd_ctx_hndl = gd->gc.gc_ctx;
     pd->pd_seq_win = gd->win;
 
     return (TRUE);
 }

◆ authgss_marshal() [1/2]

static bool_t authgss_marshal ( )

static

◆ authgss_marshal() [2/2]

static bool_t authgss_marshal	(	AUTH *	auth,
		XDR *	xdrs
	)

static

Definition at line 275 of file auth_gss.c.

 {
     XDR          tmpxdrs;
     char             tmp[MAX_AUTH_BYTES];
     struct rpc_gss_data *gd;
     gss_buffer_desc      rpcbuf, checksum;
     OM_uint32        maj_stat, min_stat;
     bool_t           xdr_stat;
 
     log_debug("in authgss_marshal()");
 
     gd = AUTH_PRIVATE(auth);
 
     if (gd->established)
         gd->gc.gc_seq++;
 
     xdrmem_create(&tmpxdrs, tmp, sizeof(tmp), XDR_ENCODE);
 
     if (!xdr_rpc_gss_cred(&tmpxdrs, &gd->gc)) {
         XDR_DESTROY(&tmpxdrs);
         return (FALSE);
     }
     auth->ah_cred.oa_flavor = RPCSEC_GSS;
     auth->ah_cred.oa_base = tmp;
     auth->ah_cred.oa_length = XDR_GETPOS(&tmpxdrs);
 
     XDR_DESTROY(&tmpxdrs);
 
     if (!xdr_opaque_auth(xdrs, &auth->ah_cred))
         return (FALSE);
 
     if (gd->gc.gc_proc == RPCSEC_GSS_INIT ||
         gd->gc.gc_proc == RPCSEC_GSS_CONTINUE_INIT) {
         return (xdr_opaque_auth(xdrs, &_null_auth));
     }
     /* Checksum serialized RPC header, up to and including credential. */
     rpcbuf.length = XDR_GETPOS(xdrs);
     XDR_SETPOS(xdrs, 0);
     rpcbuf.value = XDR_INLINE(xdrs, rpcbuf.length);
 
     maj_stat = gss_get_mic(&min_stat, gd->ctx, gd->sec.qop,
                 &rpcbuf, &checksum);
 
     if (maj_stat != GSS_S_COMPLETE) {
         log_status("gss_get_mic", maj_stat, min_stat);
         if (maj_stat == GSS_S_CONTEXT_EXPIRED) {
             gd->established = FALSE;
             authgss_destroy_context(auth);
         }
         return (FALSE);
     }
     auth->ah_verf.oa_flavor = RPCSEC_GSS;
     auth->ah_verf.oa_base = checksum.value;
     auth->ah_verf.oa_length = checksum.length;
 
     xdr_stat = xdr_opaque_auth(xdrs, &auth->ah_verf);
     gss_release_buffer(&min_stat, &checksum);
 
     return (xdr_stat);
 }

◆ authgss_nextverf() [1/2]

static void authgss_nextverf ( )

static

◆ authgss_nextverf() [2/2]

static void authgss_nextverf ( AUTH * auth )

static

Definition at line 268 of file auth_gss.c.

 {
     log_debug("in authgss_nextverf()");
     /* no action necessary */
 }

◆ authgss_refresh() [1/2]

static bool_t authgss_refresh ( )

static

Referenced by authgss_create().

◆ authgss_refresh() [2/2]

static bool_t authgss_refresh ( AUTH * auth )

static

Definition at line 391 of file auth_gss.c.

 {
     struct rpc_gss_data *gd;
     struct rpc_gss_init_res  gr;
     gss_buffer_desc     *recv_tokenp, send_token;
     OM_uint32        maj_stat, min_stat, call_stat, ret_flags;
 
     log_debug("in authgss_refresh()");
 
     gd = AUTH_PRIVATE(auth);
 
     if (gd->established)
         return (TRUE);
 
     /* GSS context establishment loop. */
     memset(&gr, 0, sizeof(gr));
     recv_tokenp = GSS_C_NO_BUFFER;
 
 #ifdef DEBUG
     print_rpc_gss_sec(&gd->sec);
 #endif /*DEBUG*/
 
     for (;;) {
 #ifdef DEBUG
         /* print the token we just received */
         if (recv_tokenp != GSS_C_NO_BUFFER) {
             log_debug("The token we just received (length %d):",
                   recv_tokenp->length);
             log_hexdump(recv_tokenp->value, recv_tokenp->length, 0);
         }
 #endif
         maj_stat = gss_init_sec_context(&min_stat,
                         gd->sec.cred,
                         &gd->ctx,
                         gd->name,
                         gd->sec.mech,
                         gd->sec.req_flags,
                         0,      /* time req */
                         NULL,       /* channel */
                         recv_tokenp,
                         NULL,       /* used mech */
                         &send_token,
                         &ret_flags,
                         NULL);      /* time rec */
 
         if (recv_tokenp != GSS_C_NO_BUFFER) {
             gss_release_buffer(&min_stat, &gr.gr_token);
             recv_tokenp = GSS_C_NO_BUFFER;
         }
         if (maj_stat != GSS_S_COMPLETE &&
             maj_stat != GSS_S_CONTINUE_NEEDED) {
             log_status("gss_init_sec_context", maj_stat, min_stat);
             break;
         }
         if (send_token.length != 0) {
             memset(&gr, 0, sizeof(gr));
 
 #ifdef DEBUG
             /* print the token we are about to send */
             log_debug("The token being sent (length %d):",
                   send_token.length);
             log_hexdump(send_token.value, send_token.length, 0);
 #endif
 
             call_stat = clnt_call(gd->clnt, NULLPROC,
                           (xdrproc_t)xdr_rpc_gss_init_args,
                           &send_token,
                           (xdrproc_t)xdr_rpc_gss_init_res,
                           (caddr_t)&gr, AUTH_TIMEOUT);
 
             gss_release_buffer(&min_stat, &send_token);
 
             if (call_stat != RPC_SUCCESS ||
                 (gr.gr_major != GSS_S_COMPLETE &&
                  gr.gr_major != GSS_S_CONTINUE_NEEDED))
                 return FALSE;
 
             if (gr.gr_ctx.length != 0) {
                 if (gd->gc.gc_ctx.value)
                     gss_release_buffer(&min_stat,
                                &gd->gc.gc_ctx);
                 gd->gc.gc_ctx = gr.gr_ctx;
             }
             if (gr.gr_token.length != 0) {
                 if (maj_stat != GSS_S_CONTINUE_NEEDED)
                     break;
                 recv_tokenp = &gr.gr_token;
             }
             gd->gc.gc_proc = RPCSEC_GSS_CONTINUE_INIT;
         }
 
         /* GSS_S_COMPLETE => check gss header verifier,
          * usually checked in gss_validate
          */
         if (maj_stat == GSS_S_COMPLETE) {
             gss_buffer_desc   bufin;
             gss_buffer_desc   bufout;
             u_int seq, qop_state = 0;
 
             seq = htonl(gr.gr_win);
             bufin.value = (unsigned char *)&seq;
             bufin.length = sizeof(seq);
             bufout.value = (unsigned char *)gd->gc_wire_verf.value;
             bufout.length = gd->gc_wire_verf.length;
 
             maj_stat = gss_verify_mic(&min_stat, gd->ctx,
                 &bufin, &bufout, &qop_state);
 
             if (maj_stat != GSS_S_COMPLETE
                     || qop_state != gd->sec.qop) {
                 log_status("gss_verify_mic", maj_stat, min_stat);
                 if (maj_stat == GSS_S_CONTEXT_EXPIRED) {
                     gd->established = FALSE;
                     authgss_destroy_context(auth);
                 }
                 return (FALSE);
             }
             gd->established = TRUE;
             gd->gc.gc_proc = RPCSEC_GSS_DATA;
             gd->gc.gc_seq = 0;
             gd->win = gr.gr_win;
             break;
         }
     }
     /* End context negotiation loop. */
     if (gd->gc.gc_proc != RPCSEC_GSS_DATA) {
         if (gr.gr_token.length != 0)
             gss_release_buffer(&min_stat, &gr.gr_token);
 
         authgss_destroy(auth);
         auth = NULL;
         rpc_createerr.cf_stat = RPC_AUTHERROR;
 
         return (FALSE);
     }
     return (TRUE);
 }

◆ authgss_service()

bool_t authgss_service	(	AUTH *	auth,
		int	svc
	)

Definition at line 530 of file auth_gss.c.

 {
     struct rpc_gss_data *gd;
 
     log_debug("in authgss_service()");
 
     if (!auth)
         return(FALSE);
     gd = AUTH_PRIVATE(auth);
     if (!gd || !gd->established)
         return (FALSE);
     gd->sec.svc = svc;
     gd->gc.gc_svc = svc;
     return (TRUE);
 }

◆ authgss_unwrap() [1/2]

static bool_t authgss_unwrap ( )

static

◆ authgss_unwrap() [2/2]

bool_t authgss_unwrap	(	AUTH *	auth,
		XDR *	xdrs,
		xdrproc_t	xdr_func,
		caddr_t	xdr_ptr
	)

Definition at line 619 of file auth_gss.c.

 {
     struct rpc_gss_data *gd;
 
     log_debug("in authgss_unwrap()");
 
     gd = AUTH_PRIVATE(auth);
 
     if (!gd->established || gd->sec.svc == RPCSEC_GSS_SVC_NONE) {
         return ((*xdr_func)(xdrs, xdr_ptr));
     }
     return (xdr_rpc_gss_data(xdrs, xdr_func, xdr_ptr,
                  gd->ctx, gd->sec.qop,
                  gd->sec.svc, gd->gc.gc_seq));
 }

◆ authgss_validate() [1/2]

static bool_t authgss_validate ( )

static

◆ authgss_validate() [2/2]

static bool_t authgss_validate	(	AUTH *	auth,
		struct opaque_auth *	verf
	)

static

Definition at line 337 of file auth_gss.c.

 {
     struct rpc_gss_data *gd;
     u_int            num, qop_state;
     gss_buffer_desc      signbuf, checksum;
     OM_uint32        maj_stat, min_stat;
 
     log_debug("in authgss_validate()");
 
     gd = AUTH_PRIVATE(auth);
 
     if (gd->established == FALSE) {
         /* would like to do this only on NULL rpc --
          * gc->established is good enough.
          * save the on the wire verifier to validate last
          * INIT phase packet after decode if the major
          * status is GSS_S_COMPLETE
          */
         if ((gd->gc_wire_verf.value =
                 mem_alloc(verf->oa_length)) == NULL) {
             fprintf(stderr, "gss_validate: out of memory\n");
             return (FALSE);
         }
         memcpy(gd->gc_wire_verf.value, verf->oa_base, verf->oa_length);
         gd->gc_wire_verf.length = verf->oa_length;
         return (TRUE);
     }
 
     if (gd->gc.gc_proc == RPCSEC_GSS_INIT ||
         gd->gc.gc_proc == RPCSEC_GSS_CONTINUE_INIT) {
         num = htonl(gd->win);
     }
     else num = htonl(gd->gc.gc_seq);
 
     signbuf.value = &num;
     signbuf.length = sizeof(num);
 
     checksum.value = verf->oa_base;
     checksum.length = verf->oa_length;
 
     maj_stat = gss_verify_mic(&min_stat, gd->ctx, &signbuf,
                   &checksum, &qop_state);
     if (maj_stat != GSS_S_COMPLETE || qop_state != gd->sec.qop) {
         log_status("gss_verify_mic", maj_stat, min_stat);
         if (maj_stat == GSS_S_CONTEXT_EXPIRED) {
             gd->established = FALSE;
             authgss_destroy_context(auth);
         }
         return (FALSE);
     }
     return (TRUE);
 }

◆ authgss_wrap() [1/2]

static bool_t authgss_wrap ( )

static

◆ authgss_wrap() [2/2]

bool_t authgss_wrap	(	AUTH *	auth,
		XDR *	xdrs,
		xdrproc_t	xdr_func,
		caddr_t	xdr_ptr
	)

Definition at line 602 of file auth_gss.c.

 {
     struct rpc_gss_data *gd;
 
     log_debug("in authgss_wrap()");
 
     gd = AUTH_PRIVATE(auth);
 
     if (!gd->established || gd->sec.svc == RPCSEC_GSS_SVC_NONE) {
         return ((*xdr_func)(xdrs, xdr_ptr));
     }
     return (xdr_rpc_gss_data(xdrs, xdr_func, xdr_ptr,
                  gd->ctx, gd->sec.qop,
                  gd->sec.svc, gd->gc.gc_seq));
 }

Variable Documentation

◆ AUTH_TIMEOUT

struct timeval AUTH_TIMEOUT = { 25, 0 }

static

Definition at line 145 of file auth_gss.c.

Referenced by authgss_destroy_context(), and authgss_refresh().

◆ authgss_ops

struct auth_ops authgss_ops

static

Initial value:

= {
    authgss_nextverf,
    authgss_marshal,
    authgss_validate,
    authgss_refresh,
    authgss_destroy,
    authgss_wrap,
    authgss_unwrap
}

Definition at line 71 of file auth_gss.c.

Referenced by authgss_create().

Classes

Macros

Typedefs

Functions

Variables

Macro Definition Documentation

◆ AUTH_PRIVATE

Typedef Documentation

◆ gss_union_ctx_id_desc

◆ gss_union_ctx_id_t

Function Documentation

◆ authgss_create()

◆ authgss_create_default()

◆ authgss_destroy() [1/2]

◆ authgss_destroy() [2/2]

◆ authgss_destroy_context() [1/2]

◆ authgss_destroy_context() [2/2]

◆ authgss_get_private_data()

◆ authgss_marshal() [1/2]

◆ authgss_marshal() [2/2]

◆ authgss_nextverf() [1/2]

◆ authgss_nextverf() [2/2]

◆ authgss_refresh() [1/2]

◆ authgss_refresh() [2/2]

◆ authgss_service()

◆ authgss_unwrap() [1/2]

◆ authgss_unwrap() [2/2]

◆ authgss_validate() [1/2]

◆ authgss_validate() [2/2]

◆ authgss_wrap() [1/2]

◆ authgss_wrap() [2/2]

Variable Documentation

◆ AUTH_TIMEOUT

◆ authgss_ops